Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1025
  • Last Modified:

QOS Police/Rate Limit

I have a cisco 1841 router that is connected to a 10MG internet connection.  THe LAN side consists of an interface of 172.16.0.1/255.255.252.0.  The router is setup to provide dhcp in the 172.16.0.0/255.255.252.0 range and  nat the LAN to the internet.  The internet connection connetcts to Fa 0/0 and the LAN is on Fa 0/1.  

I have a couiple users who habitually are abusing the 10 mg internet connection.  I'd like to put in a QOS Policy that would only ever allow any 1 IP in the 172.16.0.0 range to 1mg.  Right now I've got a couple users who will be using 4 to 8 mg of the pipe consistantly.  
0
brianstamper
Asked:
brianstamper
  • 2
  • 2
3 Solutions
 
that1guy15Commented:
Limiting traffic per IP is will take a lot more work than you want. My suggestion would be to setup QoS classes on your router, one for the offending user IPs and then one for the rest. You can then limit the amount of traffic each class can use.
So setup a class for the offending users with an ACL. You can either enter a line for each IP or you can specify a range of IPs. You will then create a policy that specifies the bandwidth limit for that class. You will then apply the policy to your outbound Internet interface.
here is an example config that matches all IP addresses in ACL 10. These IPs as a group will be limited to no more than 3Mbps of outbound traffic. Anything from these IPs above 3Mbps will be droped. All other traffic will be allowed to use the full amount of the 10Mbps connection.
My only concern with this setup is any users not in the class being limited can over use the 10Mbps connection or if the offending users IP address changes then you will have to add it to the ACL or adjust your config.
 

access-list 10 permit 172.16.0.14 0.0.0.255
access-list 10 permit 172.16.0.27 0.0.0.255
access-list 10 permit 172.16.0.192 0.0.0.255
!One line per IP or use a range like below (IPs 1 - 6)
access-list 10 permit 172.16.0.0 0.0.0.7

class-map LIMIT172
 Match access-group 10

policy-map LIMITBW_3Mbps
 class LIMIT172
  police cir 2000000 be 24000 conform-action transmit exceed-action drop
  !Does not allow traffic above 3 Mbps from this class

int f0/0
 service-policy output LIMITBW_3Mbps

Open in new window

0
 
that1guy15Commented:
My other suggestion is to setup a more dynamic approach.
If you know the traffic type these users are abusing (such as FTP, P2P file sharing, etc) you can setup NBAR on the router to classify traffic based on usage.
You can then limit each class as to a specified bandwidth.
So for example you can have P2p file sharing software to 500Kbps, FTP traffic to 2Mbps and HTTP/HTTPS traffic to 4Mbps.
NBAR can get pretty detailed with traffic classification but it also take a good chunk of your CPU/Memmory usage on your router. So just keep an eye on this.
http://www.cisco.rw/en/US/docs/ios/12_2/qos/configuration/guide/qcfnbar_ps1835_TSD_Products_Configuration_Guide_Chapter.html 
0
 
joelvpCommented:
I guess the major part of the traffic is download? In that case you will have to add the service policy to the LAN side, ie
int f0/1
service-policy output LIMITBW_3Mbps

with indeed a suggestion to use NBAR, so

class-map LIMIT172
 Match protocol http
 Match protocol ftp

And maybe other protocols as well. You have also methods to first find out who are the abusing protocol and users, using nbar discovery or ip accounting.

or, if you really want to limit only certain ip addresses:
access-list 101 permit ip any host 172.16.0.14

with
class-map LIMIT172
 Match access-group 101

Rgds, Joel
0
 
joelvpCommented:
Oh, one more addition. You may also add the policy inbound on the f0/0, however because  I guess you are doing NATting, you may not be able to filter on your LAN ip.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now